I was talking to a CIO recently and they were expressing some of their frustrations. They had transitioned to a new fractional CISO cybersecurity provider. The change in and of itself wasn’t the rub. In fact, the onboarding had been a smooth experience and the communication wonderful. The rub came within their own organization.
Any tool the fractional CISO wanted to introduce, any decision they wanted the organization to make, needed to run through the organization’s own risk department. The problem was, their risk department was not comprised of any technical staff. They didn’t understand all of the technology, all of the ramifications, but they had a sincere desire to figure it out and understand everything comprehensively before they could act on any decision. Watching a department of non-technical employees struggle to comprehend the solutions placed before them by the fractional CISO was just like watching the hobbits Merry and Pippin trying to convince the Ents to defend Middle Earth.
The translation problem
I’ve been reflecting on that conversation, and I believe the root cause centers around the message being lost in translation. The Risk department is not trying to be a hold up, but they are also concerned about the ramifications of the decision they are approving. They don’t feel like they have the information they need to make decisions quickly. So, they need more information, more meetings, to ask more questions. For example, they feel the need to become subject matter experts in AI and data retention to weigh everything out to be able to make an informed decision. However, if that was the process they needed to follow for every decision, that would require an extraordinary amount of learning and training that is unreasonable for the position and pay level. What could help them make decisions faster?
How the industry translates today
Instead of trying to train them on the nuances of every technology, and making them subject matter experts that understand everything, we need to translate the message to Risk Management. To solve this gap, the industry leans on risk quantification. Most companies in the GRC space provide their clients with spreadsheets and guidelines on how to identify their vulnerabilities, score them on the impact a vulnerability would have on the organization if it was exploited on a scale of 1–5, score them on the likelihood of the vulnerability being exploited on a scale of 1–5, multiply the two scores, and come up with a risk score. Then, they can identify their highest risks and create a plan to mitigate them. Once you get all of your risks quantified, you have a translation that your risk management and executive teams can more quickly act on. They see the numbers, the numbers make sense, and they can explain why action 1 was chosen instead of action 2, justifying it with numbers.
Analysis paralysis
The problem with that process is that it shifts the Ent-speak from your Risk Management team to your cybersecurity team. Now they have to do the expensive legwork of quantifying every decision they present to Risk Management. This isn’t an easy process either. Many cybersecurity professionals get stuck in analysis paralysis. Is this really a 3, or should it be a 4? This can spiral into countless hours of research online trying to figure it out, or discussions with other professionals. How do I know what this should truly be? It seems they are set off on a quest to find not just one, but hundreds or even thousands, of holy grails, and the job doesn’t get done well, or even at all. Many times, they find themselves filling the sheet in with a bunch of 3’s because they hesitate making it too big of a deal, or downplaying it and middle of the road seems safe. When they are done, nothing stands out and any prioritization or actionable intel is completely lost in translation. Worse, sometimes they invent the numbers to validate the decisions they already made in their head to justify spending money on the shiny tools they want to buy.
This process needs to be easier. It already is when it comes to scanning their environment. CVEs already exist, vulnerabilities are already assessed, and it’s easy to justify fixing critical vulnerabilities due to well-defined SLAs. But when it comes to the often intangible aspects of cybersecurity, it’s an underdeveloped area that needs a lot of love.
Where we could move the needle
That is where we felt we could move the needle with SignumCyber. Here’s the key insight: the Ent-speak doesn’t disappear when you quantify risk. Someone still has to do the agonizing. So instead of making every cybersecurity team at every organization reinvent that wheel, we volunteered to do it once, for everyone. Our clients export the Ent-speak to us.
And we did the work. We spent months pouring over the vulnerabilities that exist in an organization. We didn’t just focus on the ones caused by software, but more comprehensively, those caused by missing policies, gaps in physical facilities, problems in training, the intangibles that computer automation can’t pick up on and score easily. This wasn’t one person guessing. The scores were built and cross-checked by a team that included a cybersecurity professional with a master’s degree and a CISSP, alongside a consultant who has worked with several of the Big 4 firms. We used AI to pressure-test and scale our work, reviewed its output critically, and we continually revisit the scores as the landscape shifts. The point isn’t that our numbers are magically perfect, rather it’s that they’re consistent and defensible across an entire catalog, so no single analyst at your organization is stuck reinventing the wheel per-vulnerability, and nothing stands out for the wrong reasons.
You could find the same success in your organization doing the same work, but think of the work load we are offering to carry for you. Even if you trusted an AI to generate these numbers yourself, consider the scale: there are over 55,000 data points feeding our application. Recreating that level of granularity, and then maintaining it, would take an enormous amount of time. Why reinvent the wheel when we’ve already built it for you?
We didn’t stop at impact, likelihood, and risk. We also scored every action based on ease of implementation which was built up of scores based on time to implement, complexity of implementation, operational impact and dependencies. We mapped every action to five different security frameworks, and quantified the ROI based on FAIR risk assessment and current leading industry reports.
Minutes instead of meetings
The result is that the conversation with Risk Management now takes minutes instead of meetings. It happens in their language. You can show them the outstanding risk, the steps the organization can take to fix it, how much it would cost to implement, the return on investment, and how it benefits the company from a compliance and risk reduction standpoint. Your organization no longer needs to rely on Ent huddles to move the needle when it comes to cybersecurity.